Merge pull request #2767 from camilamacedo86/uncomment-restricted

✨ leave the pod.spec.containers[0].capabilities.DROP.All uncommented by default

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go

@@ -57,10 +57,9 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go

@@ -90,10 +90,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go

@@ -57,10 +57,9 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go

@@ -90,10 +90,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

test/e2e/v3/generate_test.go

@@ -237,27 +237,6 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`
 
 func uncommentPodStandards(kbc *utils.TestContext) {
 	configManager := filepath.Join(kbc.Dir, "config", "manager", "manager.yaml")
-	managerAuth := filepath.Join(kbc.Dir, "config", "default", "manager_auth_proxy_patch.yaml")
-
-	//nolint:lll
-	if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"`, `  capabilities:
-            drop:
-              - "ALL"`); err != nil {
-		ExpectWithOffset(1, err).NotTo(HaveOccurred())
-	}
-
-	//nolint:lll
-	if err := pluginutil.ReplaceInFile(managerAuth, `# TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"`, `  capabilities:
-            drop:
-              - "ALL"`); err != nil {
-		ExpectWithOffset(1, err).NotTo(HaveOccurred())
-	}
 
 	//nolint:lll
 	if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): For common cases that do not require escalating privileges

testdata/project-v3-addon/config/default/manager_auth_proxy_patch.yaml

@@ -12,10 +12,9 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/project-v3-addon/config/manager/manager.yaml

@@ -42,10 +42,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

testdata/project-v3-config/config/default/manager_auth_proxy_patch.yaml

@@ -12,10 +12,9 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/project-v3-config/config/manager/manager.yaml

@@ -40,10 +40,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

testdata/project-v3-multigroup/config/default/manager_auth_proxy_patch.yaml

@@ -12,10 +12,9 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/project-v3-multigroup/config/manager/manager.yaml

@@ -42,10 +42,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

testdata/project-v3-with-kustomize-v2/config/default/manager_auth_proxy_patch.yaml

@@ -12,10 +12,9 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/project-v3-with-kustomize-v2/config/manager/manager.yaml

@@ -42,10 +42,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz

testdata/project-v3/config/default/manager_auth_proxy_patch.yaml

@@ -12,10 +12,9 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/project-v3/config/manager/manager.yaml

@@ -42,10 +42,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
-        # TODO(user): uncomment for common cases that do not require escalating privileges
-        # capabilities:
-        #   drop:
-        #     - "ALL"
+          capabilities:
+            drop:
+              - "ALL"
         livenessProbe:
           httpGet:
             path: /healthz